Re: X-IronPort-Quarantine header Safelist compatibility

ivan.yeung · ‎11-23-2021

Hi,

I have config a content filter that for some condition, the X-IronPort-Quarantine will be add to header, so the email will send to spam quarantine, however, if a user add those sender email to the spam quarantine safelist, it sill quarantine instead of send to user inbox. is there any ways to workaround ?

AshokJat · ‎11-23-2021

Hi,

You can bypass header value from massage filter.

If user think that mail coming from same domain. And think that it contains trustworthy mails, than he can add the header of that mail to the message filter and bypass spam check for executing the same.

ivan.yeung · ‎11-23-2021

thanks for your reply AshokJat, however, how can end user(inbox user) add message filter?

angie.shue · ‎02-14-2022

I have this same issue. Did you ever figure out how to solve this?

ivan.yeung · ‎02-14-2022

no idea yet

angie.shue · ‎02-15-2022

I opened a TAC case to ask this question. It's not the answer we were hoping for. Here is their response:

The mail passes through the anti-spam engine with the sender marked in the safe-list. Then the mail will pass through the remaining further engines in the incoming mail policy. Since the mail is tagged with the X-IronPort tag, in the later coming content filter it will be sent to quarantine . The X-IronPort Tag has nothing to do with the SAFE-LIST. The X-ironport Tag is the real culprit behind it. Removing the TAG itself would be the only way , so the mail can go without a problem.

chris.warren-notcisco · ‎02-18-2022

Would you not be able to add in the following within the filter?

If header does or does not exist:

header("X-SLBL-Result") != "^SAFE-LISTED$"

angie.shue · ‎02-18-2022

Chris, Good call! I think that will work I already check X-Ironport-Case-Suspect and X-Ironport-Case-Graymail before I add X-IronPort-Quarantine, so I'll just add X-SLBL-Result to the conditions. Thank you!